← All posts
2 min read

GuardDuty: Create detector from the CLI

#aws#cli#guardduty#security#threat-detection
📑 On this page

Part 709 of AWS from Zero. This is lesson 8 in the GuardDuty track.

What we are learning

Use create-detector to create or register one GuardDuty resource through the CLI. This lesson identifies the required input shape, saves the raw response, and keeps inspection separate from execution.

The AWS CLI operation is aws guardduty create-detector. Required operation inputs: --enable (boolean). The modeled top-level response contains DetectorId, UnprocessedDataSources.

Before you run it

aws sts get-caller-identity
REGION="${AWS_REGION:-ap-south-1}"
ENABLE="replace-with-enable"
aws guardduty create-detector help

Use a sandbox account or an approved learning environment. Read the operation help before supplying identifiers, ARNs, network ranges, policy documents, or customer data.

Cost note: GuardDuty analyzes events and data sources with usage-based pricing after any trial.

The command

aws guardduty create-detector \
  --enable "$ENABLE" \
  --region "$REGION" \
  --output json > part-709-response.json

The response is saved to part-709-response.json so inspection is separate from execution. The explicit variables above keep required identifiers visible before the API call.

Inspect the result

node -e "const r=require('./part-709-response.json'); console.log(Object.keys(r))"
node -e "const r=require('./part-709-response.json'); console.log(JSON.stringify(r, null, 2))"

Compare the returned identifiers and status fields with the account, Region, and resource you intended to target. For asynchronous operations, continue with the service's matching get, list, or describe command until it reaches a terminal state.

One tiny variation

node -e "const r=require('./part-709-response.json'); console.log(JSON.stringify(r["DetectorId"], null, 2))"

This variation changes output inspection rather than adding another infrastructure concept. Keep the raw JSON while developing a query so a narrow projection does not hide an error or unexpected field.

Common mistake

Do not run a generated request unchanged. Replace every placeholder, add ownership tags where supported, estimate cost, and verify that the selected Region and account are disposable.

Cleanup

# Review the inverse operation before removing the demo resource.
aws guardduty delete-detector help
rm -f part-709-request.json part-709-response.json part-709-payload.bin part-709-debug.log

Local request and response files may contain account IDs, ARNs, names, or service configuration. Remove them when the lab is complete and follow dependency-aware cleanup for any AWS resource you created.

Next, we will learn GuardDuty: Create filter from the CLI.

Official AWS CLI reference